Data transferred over communication networks is becoming increasingly sensitive. Communication networks, such as mobile, wireless and fixed communication networks, are nowadays more and more frequently used for e.g. various economical and business related transactions, control of cyber-physical systems, etc. Therefore there is a need for stronger security measures.
In for instance mobile communications it is important that the communication network and user equipment (UE) mutually authenticate each other and are able to encrypt exchanged traffic data, where both of these security services being critically dependent on secure key management including key agreement or key establishment.
In this respect, mobile networks from second generation (2G) and onward have made use of strong, (Universal) Subscriber Identity Module ((U)SIM) card based authentication and encryption key agreement. From third generation (3G) networks and on, authentication has been mutual: both network and user equipment authenticate each other. USIM based 3G/4G authentication is described in e.g. 3GPP TS 33.102 V12.2.0 and 33.401 V12.13.0. The protocol is known as UMTS AKA or LTE AKA, depending on which access network type is used, where UMTS AKA is an acronym for Universal Mobile Telecommunication System Authentication and Key Agreement and LTE AKA is an acronym for Long Term Evolution Authentication and Key Agreement. As a note, while the 3GPP standards use the term key agreement, the protocols actually used are more of key establishment nature. The difference is however not important for the discussion. Variants of this AKA protocol have been developed for IP Multimedia Subsystem (IMS), IMS AKA, non-3GPP access technologies (EAP-AKA, IETF RFC 4187) and for general service layer authentication (Generic Bootstrapping Architecture, GBA, 3GPP TS 33.220 V12.3.0).
FIG. 1 shows the functioning of AKA on a high level for a 3G network according to TS 33.102 V12.2.0, where a mobile station MS, which is a type of communication device that corresponds to a user equipment, communicates with a Visiting Location Register (VLR)/Serving Gateway Support Node (SGSN) of a serving network (SN), which in turn communicates with a Home Environment (HE)/Home Location Register (HLR). In 4G/LTE, a Mobile Management Entity (MME) takes the place of VLR/SGSN and HE/HLR corresponds to Home Subscriber Server (HSS).
FIG. 1 the VLR/SGSN is shown as sending an authentication data request 10 to the HE/HLR concerning a visiting mobile station MS. The HE/HLR generates 12 a set of authentication vectors (AV(1 . . . n)) and sends the vectors (AV1 . . . n) to the VLR/SGSN in an Authentication data response message 14, where the VLR/SGSN then stores 16 the authentication vectors. These steps here together form a phase 17 of distribution and authentication vectors from the HE.
Thereafter follows an authentication and key establishment (or key agreement) phase 31. When authentication is to take place in this phase 31, the VLR/SGSN selects 18 an available (unused) authentication vector and based on the content of this vector it sends a user authentication request message ARQ 20 comprising a challenge using a random value Rand(i) and an authentication token AUTN(i), where AUTN(i) comprises a challenge verification code, and the index i indicates that the value is associated with AVi. The AUTN(i) is verified in the MS, and if verification succeeds, a result RES(i) is computed in a verification step 22. To be precise, these operations are carried out by the USIM in the MS. The MS then sends a user authentication response message (ARE) 20 comprising the result RES(i). The authentication vector comprises the expected result XRES(i) and the VLR/SGSN then compares 26 the received result RES(i) with the expected result XRES(i), and if the comparison was successful (i.e. the two values being equal), the VLR/SGSN then selects 30 a corresponding ciphering key CK(i) and integrity protection key IK(i). At the same time, the MS (again, to be precise, the USIM) computes 28 the same keys CK(i) and IK(i). In the case of LTE, further keys are derived from CK(i) and IK(i), e.g. a so called Kasme key (not shown), this derivation being done in the part of the MS that is outside the USIM. This part outside of the USIM is referred to as Mobile Equipment (ME).
In an authentication and key agreement of the type shown in FIG. 1 and described above, a secret key K, with advantage pre-shared, is used and stored both in the user equipment (specifically, in the USIM) and in the home network. The shared key K is then used for deriving CK (i) and IK (i).
The security of AKA thus depends on the key K being kept secret. Recently, it was reported in media that a USIM card manufacturer's security had been breached and a set of K-keys had “leaked out” (or fallen into wrong hands), thus putting the subscribers associated with these keys at risks such as impersonation, connection hijacking, and eavesdropping (since also the ciphering keys, derived from CK(i) and/or IK(i), are thus potentially also at risk). In the article, https://firstlook.org/theintercept/2015/02/19/great-sim-heist/, retrieved on 6 Jul. 2015, it was mentioned that a potential problem with the AKA protocol, leading to the aforementioned security implications, lied in that AKA lacks so called perfect forward secrecy (PFS).
It is in view of what has been described above of interest to raise the security level of communication between a communication device and a communication network when the security is based on identity modules such as USIM making use of a secret/key shared with a communication network node.
There is thus a need for enhancing communication security between a communication device and a communication network.